Restricting data access (Auth)
Restricting data access (Auth)
Our clients—including market research agencies, financial institutions, and consultancies—handle sensitive data, requiring controlled access. Previously, access was managed at the organisation level, meaning all members could see all projects. To enable more granular control, we implemented project-level access and enhanced authorisation.
Problem
Many companies run confidential projects that require restricted access—e.g., management consultancies need "ethical walls" for competitor work, and brands must protect employee survey data.
However, AllVue’s access control was organisation-wide (e.g., everyone at PwC could see all PwC projects - see below). This limitation made the platform unsuitable for 15% of all surveys and 60% of those from our most active users.
To make AllVue viable for all surveys, we needed to introduce granular, project-level access controls.
Challenge
We needed to introduce project-level security to support the 15% of projects requiring restricted access—without adding friction for the remaining 85%, especially as we aimed to grow adoption among users who didn’t regularly face this issue.
To keep operations efficient, access needed to be managed by account managers, not central teams (e.g., development, support, or IT), so they could focus on high-priority work.
Additionally, we wanted to streamline access management—keeping setup effortless for most users while ensuring restricted projects remained secure.
Approach
To design an effective solution, product management and UX designers collaborated to conduct interviews with account managers and clients to understand their security needs. Key insights included:
1️⃣ Security groups were impractical – Many users worked across multiple accounts, meaning a group-based approach would create as many groups as users, making management complex.
2️⃣ Access restrictions were minimal – In most cases, only a handful of people needed restricted access, reducing the need for bulk uploads.
3️⃣ Most projects didn’t require restrictions – We needed a setup where full organisational access was the default, but restricted projects wouldn’t be temporarily open before access was revoked.
4️⃣ Interim reporting was a barrier to adoption – Users had to manually "turn on" every project before reporting, delaying workflows, especially for market research agencies.
Solution Design
🧔 Account-based access – Instead of security groups, we enabled direct assignment of individuals to projects, allowing a few people to be added at once while keeping the process lightweight.
🖥️ No IT dependency – Security groups required IT management, contradicting our need for account manager control. We opted for a simpler, in-app assignment model.
🔓 Effortless default access – A one-click setting enabled full organisational access when needed, without risk of restricted projects being temporarily exposed.
📊 Seamless interim reporting – Even when access wasn’t granted to all, projects would automatically appear for internal users to start reporting—removing the manual “turn on” step.
This approach ensured security was granular where needed, frictionless for most users, and scalable without burdening IT or development teams.
Result
The introduction of project-level access controls significantly improved security, efficiency, and platform adoption:
✅ 100% of restricted projects could now be securely managed within AllVue
✅ IT & support intervention reduced by 90%, as account managers could now control access directly - the last 10% accounts for internal restrictions (e.g. NDA’s within Savanta)
✅ Interim reporting improvements enabled a 20% increase in platform usage by brands, as they could now begin analysis earlier.
✅ Faster project setup – Projects were instantly available for internal users, eliminating manual activation delays.
By balancing security and usability, we expanded AllVue’s applicability while ensuring minimal friction for everyday users.